Continue your mission
Cyber threat intelligence (CTI) is the discipline of collecting, analyzing, and communicating information about adversaries: who they are, what they want, how they operate, and what they will do next.
# How to Become a Threat Intelligence Analyst
Cyber threat intelligence (CTI) is the discipline of collecting, analyzing, and communicating information about adversaries: who they are, what they want, how they operate, and what they will do next. A threat intelligence analyst is the practitioner who produces that intelligence. Not the person who reads threat feeds. The person who interprets them, contextualizes them against a specific organization or sector, and translates raw data into actionable decisions for defenders, executives, and incident responders.
The distinction matters because the market is full of "threat intelligence" that is actually threat data: IP addresses, domain names, file hashes, and vulnerability identifiers fed from commercial vendors into a SIEM or TIP (threat intelligence platform). Data is not intelligence. Intelligence is data that has been processed through analysis to answer a specific question for a specific decision-maker. A CTI analyst's primary output is not a dashboard. It is a written product: an intelligence report, a threat actor profile, a campaign assessment, or a strategic advisory memo.
Within CDA's Planetary Defense Model (PDM), threat intelligence lives in the TID domain (Threat Intelligence and Defense), the fifth concentric layer, mapped to the atmospheric layer of a planet. The atmosphere is where threats become visible before they reach the terrain. TID analysts are the atmospheric sensors. Their work directly enables every domain below: DPS, VSD, SPH, IAT, and RGA all depend on intelligence about who is attacking, with what tools, and toward what objectives. A strong TID layer converts reactive defense into anticipatory defense.
The career path into CTI is accessible from multiple directions. Military intelligence veterans, law enforcement analysts, academic researchers, and journalists have all built successful CTI careers because the core discipline, structured analysis to produce written assessments, transfers directly. Technical depth matters but it is not the primary gate. Analytical rigor is.
Analytical writing is the most underestimated requirement in CTI. Intelligence is produced in written form. An analyst who can identify a threat actor but cannot write a coherent, structured report about that actor has not completed the job. Intelligence products follow standardized formats: executive summaries, key judgments stated at the top (not buried at the end), confidence levels called out explicitly, and evidence cited. The IC (intelligence community) format, developed over decades by agencies like the CIA and DIA, exists because structure forces rigor. CTI professionals who come from military intelligence or law enforcement already know this format. Those who do not must learn it deliberately.
Research methodology governs how an analyst builds a case. Confirmation bias is the primary analytical failure mode in CTI: an analyst who starts with a hypothesis and only looks for confirming evidence will produce wrong assessments with high confidence. Structured analytic techniques (SATs), including analysis of competing hypotheses (ACH), key assumptions checks, and red team analysis, exist to counter this. A working knowledge of SATs distinguishes a senior CTI analyst from a data aggregator.
OSINT techniques are foundational. Open-source intelligence (OSINT) includes everything collectible from public sources: social media, paste sites, code repositories, domain registration data (WHOIS), certificate transparency logs, job postings (which reveal what technologies a target uses), leaked databases, and the open web. Tools like Maltego (relationship mapping and link analysis), Shodan (exposed asset discovery), SpiderFoot (automated OSINT aggregation), and WHOIS/RDAP lookups are daily-use instruments for a CTI analyst conducting adversary infrastructure research.
Malware analysis fundamentals are required to a practical depth. A CTI analyst does not need to reverse engineer binaries from scratch. That is the malware reverse engineer's job. But a CTI analyst must be able to read a malware analysis report and extract the relevant intelligence: what the malware does, how it communicates (C2 infrastructure), what indicators it leaves behind, and how it compares to known malware families associated with specific threat actors. Understanding sandbox analysis output (from tools like Any.run, Cuckoo, or VirusTotal) and reading disassembly at a high level are practical skills that sharpen attribution work.
Geopolitical awareness separates tactical CTI from strategic CTI. A threat actor does not operate in a vacuum. Nation-state actors have strategic objectives rooted in national security priorities. Cybercriminal groups respond to economic incentives shaped by jurisdiction, sanctions, and law enforcement pressure. Hacktivists act in response to geopolitical events. An analyst who understands why Russia-linked actors prioritize Ukrainian critical infrastructure, why North Korean actors prioritize financial institutions and cryptocurrency platforms, or why Iranian actors focus on Israeli and Saudi targets will produce better attribution and better predictive analysis than one who treats every incident as a purely technical puzzle.
ATT&CK mapping is the common language of CTI. MITRE ATT&CK is the most widely adopted framework for describing adversary behavior in terms of tactics, techniques, and procedures (TTPs). Mapping observed adversary behavior to ATT&CK enables comparisons across incidents, comparisons to known threat actor profiles, and communication with defenders who use ATT&CK to structure their detection coverage. Every CTI professional must be proficient in ATT&CK navigation and ATT&CK-based reporting.
Tool proficiency rounds out the skill set. Beyond OSINT tools, CTI analysts work with threat intelligence platforms (TIPs) including MISP (open-source, widely used in the security community), ThreatConnect, Recorded Future, and Anomali ThreatStream. These platforms aggregate, normalize, and share indicators and intelligence reports. Recorded Future's natural language search and machine learning-driven analysis is particularly useful for large-scale research. VirusTotal is used daily for indicator lookups and malware family identification.
CTI work follows a cycle: direction (what question are we answering?), collection (gathering raw data), processing (organizing and normalizing data), analysis (interpreting data, drawing inferences, evaluating confidence), production (writing the intelligence product), and dissemination (delivering it to the right audience in the right format). A junior analyst typically works within steps three and four. A senior analyst owns the full cycle, including setting direction through a formal intelligence requirements process.
Intelligence products vary by audience and purpose. Strategic intelligence is written for executives and boards: long horizon, focused on threat actor intentions and capabilities, industry-specific context, and business risk implications. Operational intelligence targets security operations leadership: campaign-level analysis, threat actor activity tracking, and defensive prioritization. Tactical intelligence is for incident responders and SOC teams: specific indicators, TTPs, and actionable detection guidance. A complete CTI team produces all three.
Organizations spend billions on security controls and still experience major breaches. The common failure mode is not technical inadequacy but intelligence failure: defenders did not know who was targeting them, what those actors wanted, or how they operated. They were defending against an abstract threat instead of a specific adversary with known capabilities and patterns.
CTI shifts the equation. An organization with a mature threat intelligence function knows which threat actors are relevant to its industry and geography, has mapped those actors' known TTPs to its defensive coverage, and tracks active campaigns that may affect it. That organization patches vulnerabilities that specific threat actors are actively exploiting before deploying new ones that those actors have never used. It detects attacks faster because it is watching for specific behavioral signatures, not just generic anomalies.
The business impact is measurable. Mean time to detect (MTTD) and mean time to respond (MTTR) are the primary operational metrics. CTI directly compresses both. An analyst who identifies a campaign targeting the organization's sector and provides IOCs (indicators of compromise) and TTPs to the SOC enables detections that would otherwise take days to develop from scratch during an active incident.
Misconceptions about CTI are common. The most persistent is that CTI is the same as a threat feed subscription. It is not. A threat feed is a data source. CTI is a discipline that uses threat feeds among dozens of other sources to produce finished intelligence. An organization that subscribes to ten threat feeds but has no one to analyze them has not bought CTI. It has bought noise.
The second misconception is that CTI requires a deep technical background in malware analysis or software exploitation. It helps, but the career path is accessible to people who are strong researchers and strong writers with a working knowledge of how attacks work. Many of the best CTI analysts came from journalism, law enforcement investigations, or academic research.
CDA's TID domain, powered by the Predictive Defense Intelligence (PDI) methodology, is the framework context for CTI work across the ecosystem. PDI's tagline captures the strategic objective: "See the threat before it sees you." That is exactly what CTI is for.
PDI operates at two levels. At the tactical level, it processes indicators and threat actor TTPs to provide SOC teams with the intelligence they need for high-fidelity detections. At the strategic level, it tracks adversary intent and capability shifts that affect organizational risk posture months before an attack materializes. CTI analysts operating under PDI are not feeding a dashboard. They are running an intelligence program with defined requirements, production cycles, and delivery formats.
The TID domain interacts with all five other PDM layers. Intelligence about how threat actors exploit vulnerabilities feeds VSD (Vulnerability and Surface Defense) prioritization. Intelligence about credential theft techniques feeds IAT (Identity Access and Trust) controls. Intelligence about data exfiltration methods feeds DPS (Data Protection and Sovereignty) architecture decisions. Intelligence about regulatory and industry-specific threats feeds RGA (Risk Governance and Assurance) risk assessments. The atmosphere layer does not operate in isolation. It informs every layer below it.
CDArmy missions in the TID domain translate CTI skills into operational deployments. TID-R01 focuses on reconnaissance-phase threat actor profiling, the foundational CTI mission of identifying who is relevant to an organization and mapping their capabilities. TID-B03 puts analysts through campaign tracking and intelligence report production. TID-H03 advances into predictive analysis: using historical actor patterns and current collection to assess what comes next. These missions build the skills described in this article in a structured, documented sequence that becomes a portfolio.
CDA.Institute offers structured coursework in CTI methodology, OSINT techniques, and intelligence product writing, tying formal instruction to the operational experience that CDArmy missions provide. The combination of classroom and operational deployment is the fastest path to a credentialed, demonstrated CTI skill set.
For CDA.Nexus members, The Shield diagnostic visualization surfaces TID posture gaps: specifically, where an organization's atmospheric sensors are blind. A CTI analyst reading a Shield assessment understands immediately which threat actor categories and attack vectors are not covered by current intelligence collection. That gap analysis is a business development tool as much as it is a defensive planning tool.
CDA Theater missions that address topics covered in this article.
A realistic hour-by-hour account of what SOC analyst work actually looks like across a full shift, from handoff review to alert triage, investigation, escalation, and shift reporting. Includes the career progression path and an honest assessment of the demands and burnout realities of the role.
A comprehensive guide for the Certified Information Systems Security Professional credential, covering the CAT exam format, all eight CBK domains, experience requirements, the management mindset the exam rewards, study resources, and how CISSP aligns with the Planetary Defense Model.
A comprehensive preparation guide for the Offensive Security Certified Professional certification, covering the current PEN-200/OSCP+ exam format, Active Directory requirements, preparation timeline, resources, and what the 'try harder' philosophy actually means in practice.
Written by Evan Morgan
Found an issue? Help improve this article.